dragonflyoss
/
dragonfly
mirror of https://github.com/dragonflyoss/dragonfly.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: generate SLSA3 provenance for GoReleaser (#3516) 

Signed-off-by: Gaius <gaius.qi@gmail.com>
This commit is contained in:
Gaius 2024-09-18 16:04:53 +08:00
parent 608b6a200b
commit 79bd59a8e0
No known key found for this signature in database
GPG Key ID: 647A0EE86907F1AF
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/docker.yml vendored
View File

@ -13,6 +13,7 @@ permissions:
jobs: jobs:
push_image_to_registry: push_image_to_registry:
name: Push Image name: Push Image
permissions: write-all
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
matrix: matrix:
@ -91,7 +92,7 @@ jobs:
org.opencontainers.image.title="dragonfly" org.opencontainers.image.title="dragonfly"
org.opencontainers.image.description=${{ github.event.repository.description }} org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }} org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.source="https://github.com/dragonflyoss/Dragonfly2" org.opencontainers.image.source=https://github.com/${{ github.repository }}
org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }} org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
build-args: | build-args: |

27
.github/workflows/release.yml vendored
View File

@ -14,6 +14,8 @@ jobs:
contents: write contents: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 60 timeout-minutes: 60
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4.1.7 uses: actions/checkout@v4.1.7
@ -34,9 +36,34 @@ jobs:
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6.0.0 uses: goreleaser/goreleaser-action@v6.0.0
id: run-goreleaser
with: with:
distribution: goreleaser distribution: goreleaser
version: latest version: latest
args: release args: release
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
provenance:
needs: [goreleaser]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true # upload to a new release